Protecting Connected Cars’ Over-the-Air Software Updates

Over-the-air updates of software in cars will be necessary to keep the vehicle software up-to-date and to rapidly identify and address vulnerabilities but unfortunately, OTA updates can themselves be compromised to hack a vehicle.

July 21, 2020

4 Min Read
Connected vehicles image
Standard OTA security framework will save lives, researcher predicts.

Between news surrounding data privacy, company data breaches and evolving regulations such as CCPA and GDPR, security is a hot topic in just about every industry.

And right now, “Zoombombing” is giving work-from-home videoconference attendees reason to feel uneasy. Security impacts every aspect of our lives, including the vehicles we drive.

Yet, drivers generally aren’t aware of automotive security issues.



This is probably because drivers don’t understand how dependent their vehicle is on software or how much data their vehicle is collecting and are blind to the possibility that it could be hacked to compromise its safety.

Therefore, it’s imperative that auto manufacturers and suppliers have high standards when it comes to ensuring vehicle security on behalf of consumers.

Why Security Frameworks Are Necessary

As cars become increasingly connected to support the latest technological developments such as advanced driver-assistance systems and autonomous driving features, they will have an increasing amount of physical or virtual electronic control units (ECUs) and the software that powers them.

While more technology advances mean improved consumer utility and satisfaction, the more software cars have, the more vulnerable they will be to cybersecurity breaches, malicious hacking and data theft.

Over-the-air (OTA) updates in cars will be necessary to keep the vehicle software up-to-date and to rapidly identify and address vulnerabilities, but unfortunately OTA updates can themselves be compromised to hack a vehicle.

Strong automotive-grade OTA security frameworks are necessary to add a layer of protection keeping drivers – and their data – safe.

The Benefits of Security Framework Standards

Safety and security have always been a major focus of the automotive industry. But as vehicle sophistication and connectivity increase, the industry needs to move toward the creation and adoption of industrywide open security standards.

Standardization is important because it sets the principles, rules and guidelines for the entire industry to follow and is based on thorough and consistent peer reviews and technical evaluations.

One of these emerging security standards – and the most important, in my opinion – is Uptane.

What is Uptane?

Uptane is an open and secure framework for securing OTA software updates for automotive electronics.

It was initially developed by U.S. government, academic and research organizations including the U.S. Department of Homeland Security, New York University Tandon School of Engineering, University of Michigan Transportation Research Institute and Southwest Research Institute.

Uptane has been specifically designed for the automotive industry to provide the highest level of OTA security, is under review and/or adoption by leading automakers and automotive suppliers around the world and is being codified under IEEE Industry Standards and Technology Organization.

It is projected that Uptane will be included in one-third of the new vehicles sold in the U.S. just a few years from now.

How Uptane Makes Cars Safer

Remote software updates can increase the possibility for malicious attacks on vehicles, including compromising basic automotive functions.

Uptane limits the possibility of security incidents during software updates by providing a highly resilient system that prevents hackers from installing inauthentic, out-of-date or otherwise compromised software via the OTA process.

Uptane accomplishes this by using a combination of offline and online security key signing by multiple roles with configurable key thresholds. Uptane addresses a comprehensive threat model for highly complex vehicles with multiple ECUs and supporting software and data requirements.John_Tuttle_Airbiquity.jpg.png


Uptane developer Justin Cappos, professor of computer science and engineering at NYU’s Tandon School of Engineering, tells D2P Magazine in an interview: “Really, my goal with all this is, I don’t want people to die from an attack through a software update, which I think is actually quite likely with a lot of the current designs that people were using. So Uptane is really trying to prevent that from occurring to the extent possible.”

It’s time for the automotive industry to adopt a standard OTA security framework, and Uptane is both the obvious and safest choice available today. With it, drivers will have peace of mind knowing the operation of the car, as well as the data within it, is safe while on the road.

John Tuttle (above) is vice president of engineering at Airbiquity, a pioneer in automotive telematics and a global leader in connected-vehicle service delivery.

Subscribe to a WardsAuto newsletter today!
Get the latest automotive news delivered daily or weekly. With 5 newsletters to choose from, each curated by our Editors, you can decide what matters to you most.

You May Also Like